Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers

The presentation

Kevin Johnson

Injectable exploits focus on the exploitation of major web flaws during penetration tests. Two new tools will be released that expand the foothold penetration testers can obtain through SQL injection and XSS flaws. These tools provide greater insight into the network hosting the web application and the networks in which the users are located. The first tool Yokoso! is an infrastructure fingerprinting system delivered via XSS attack. The second tool, Laudanum is a collection of injectable files that are prebuilt to perform various attacks within a network. The final portion of the talk will cover SamuraiWTF. SamuraiWTF is a live CD environment focused on web penetration tests. It was released during DEFCON 16 and has had four new releases since that time. Both Yokoso! and Laudanum will be included on a new version of SamuraiWTF released at DEFCON this year.

The speakers

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both the Incident Handling and Hacker Techniques class and the Web Application Penetration Testing and Ethical Hacking class, which he is the author. He has presented to many organizations, including Infragard, ISACA, ISSA, RSA and the University of Florida.

Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway's IT Security Architect and has provided top-tier support for the largest supercomputers in the world. Justin has taught hacking techniques, forensics, networking, and intrusion detection courses for multiple universities and corporations. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samarai Web Testing Framework, and the social networking pentest tools: Yokoso! and Laudnum. He is actively working to finish the upcoming bestseller the Seven Most Deadly Social Network Hacks, with Tom Eston of the Security Justice Podcast, and Kevin Johnson of InGuardians. Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA).

Frank DiMaggio is a manager of the Intel server team with a large insurance company in the South East. He has been in a systems administration role for over 18 years, working with small and medium sized businesses in North Florida. His experience is with Microsoft, Novell and Linux Operating Systems. In his spare time he contributes to open source security projects such as BASE, SamuraiWTF and Yokoso!